Re: [Libguestfs] [PATCH V3] NEW API: add a new api restorecon

On 10/25/2012 02:14 AM, Daniel J Walsh wrote: On 10/24/2012 11:42 AM, Richard W.M. Jones wrote: >>> Dan & Dan, >>> >>> Any comments on the design of this restorecon interface? As >>> implemented here, it is merely a simple encoding of the restorecon >>> command line tool and arguments. >>> >>> My main worry is that it'll use the wrong policy file, or perhaps no >>> policy file, or if SELinux isn't enabled properly it'll end up >>> destroying labels instead of setting them. >>> >>> Also I've no idea if it's legit to run restorecon on a filesystem >>> from one guest, using the restorecon command from another system (the >>> host in this case). >>> >>> Rich. >>> The restorecon inside the guest will attempt to read /etc/selinux/context/POLICYTYPE/files/file_context If it exists. > So, Rich, we have some problems here? > Thanks, Wanlong Gao - From restorecons point of view does this file exists? And is it in the container. Also restorecon will only work if it thinks SELinux is enabled and the kernel undestands the labels. If from the restorecon point of view SELinux is not enabled or /proc/fs/selinux points to the hosts /proc/fs/selinux then there is a chance that the host will reject labels in the guest. If you want to fix labels in a guest where the process thinks SELinux is disabled, then setfiles would be a better tool. >>> On Wed, Oct 24, 2012 at 10:00:53PM +0800, Wanlong Gao wrote: >>>> Add a new api restorecon to restore file(s) default SELinux >>>> security contexts. >>>> >>>> Signed-off-by: Wanlong Gao <gaowanlong(a)cn.fujitsu.com&gt; --- >>>> daemon/selinux.c | 52 >>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>> generator/actions.ml | 26 ++++++++++++++++++++++++++ >>>> gobject/Makefile.inc | 6 ++++-- po/POTFILES | 1 + >>>> src/MAX_PROC_NR | 2 +- 5 files changed, 84 insertions(+), 3 >>>> deletions(-) >>>> >>>> diff --git a/daemon/selinux.c b/daemon/selinux.c index >>>> 40590e1..f5e8cb2 100644 --- a/daemon/selinux.c +++ >>>> b/daemon/selinux.c @@ -31,6 +31,10 @@ #include "actions.h" #include >>>> "optgroups.h" >>>> >>>> +#define MAX_ARGS 128 + +GUESTFSD_EXT_CMD(str_restorecon, >>>> restorecon); + #if defined(HAVE_LIBSELINUX) >>>> >>>> int @@ -106,3 +110,51 @@ do_getcon (void) } >>>> >>>> #endif /* !HAVE_LIBSELINUX */ + +int +do_restorecon (const char >>>> *pathname, + const char *labelprefix, + >>>> int recursion, + int force) +{ + int r; + size_t i >>>> = 0; + char *buf; + char *err; + const char *argv[MAX_ARGS]; + + >>>> buf = sysroot_path (pathname); + if (!buf) { + >>>> reply_with_error ("malloc"); + return -1; + } + + ADD_ARG >>>> (argv, i, str_restorecon); + + if (optargs_bitmask & >>>> GUESTFS_RESTORECON_LABELPREFIX_BITMASK) { + ADD_ARG (argv, i, >>>> "-L"); + ADD_ARG (argv, i, labelprefix); + } + + if >>>> (optargs_bitmask & GUESTFS_RESTORECON_RECURSION_BITMASK) + if >>>> (recursion) + ADD_ARG (argv, i, "-R"); + + if >>>> (optargs_bitmask & GUESTFS_RESTORECON_FORCE_BITMASK) + if >>>> (force) + ADD_ARG (argv, i, "-F"); + + ADD_ARG (argv, i, >>>> buf); + ADD_ARG (argv, i, NULL); + + r = commandv (NULL, &err, >>>> argv); + free (buf); + if (r == -1) { + reply_with_error ("%s: >>>> %s", pathname, err); + free (err); + return -1; + } + + >>>> free (err); + return 0; +} diff --git a/generator/actions.ml >>>> b/generator/actions.ml index 71aee37..786c229 100644 --- >>>> a/generator/actions.ml +++ b/generator/actions.ml @@ -10241,6 >>>> +10241,32 @@ If the optional C<suffix> parameter is given, then >>>> the suffix >>>> >>>> See also: C<guestfs_mkdtemp>." }; >>>> >>>> + { defaults with + name = "restorecon"; + style = RErr, >>>> [Pathname "pathname"], [OString "labelprefix"; OBool "recursion"; >>>> OBool "force"]; + proc_nr = Some 374; + optional = Some >>>> "selinux"; + tests = [ + InitScratchFS, IfAvailable "selinux", >>>> TestRun ( + [["mkdir"; "/a"]; + ["mkdir"; "/a/b"]; + >>>> ["touch"; "/a/b/c"]; + ["mkdir"; "/a/d"]; + ["touch"; >>>> "/a/d/e"]; + ["restorecon"; "/a"; "NOARG"; "true"; "true"]]) + >>>> ]; + shortdesc = "restore file(s) default SELinux security >>>> contexts"; + longdesc = "\ +This program is primarily used to >>>> reset the security context (type) +(extended attributes) on one or >>>> more files. + +It can be run at any time to correct errors, to add >>>> support for new policy. + +If a file object does not have a >>>> context, restorecon will write the default +context to the file >>>> object's extended attributes. If a file object has a +context, >>>> C<restorecon> will only modify the type portion of the security >>>> +context. The C<force> option will force a replacement of the >>>> entire context."}; + ] >>>> >>>> (* Non-API meta-commands available only in guestfish. diff --git >>>> a/gobject/Makefile.inc b/gobject/Makefile.inc index >>>> 95a4b6b..7451d8e 100644 --- a/gobject/Makefile.inc +++ >>>> b/gobject/Makefile.inc @@ -82,7 +82,8 @@ guestfs_gobject_headers= \ >>>> include/guestfs-gobject/optargs-hivex_open.h \ >>>> include/guestfs-gobject/optargs-xfs_repair.h \ >>>> include/guestfs-gobject/optargs-mke2fs.h \ - >>>> include/guestfs-gobject/optargs-mktemp.h + >>>> include/guestfs-gobject/optargs-mktemp.h \ + >>>> include/guestfs-gobject/optargs-restorecon.h >>>> >>>> guestfs_gobject_sources= \ src/session.c \ @@ -146,4 +147,5 @@ >>>> guestfs_gobject_sources= \ src/optargs-hivex_open.c \ >>>> src/optargs-xfs_repair.c \ src/optargs-mke2fs.c \ - >>>> src/optargs-mktemp.c + src/optargs-mktemp.c \ + >>>> src/optargs-restorecon.c diff --git a/po/POTFILES b/po/POTFILES >>>> index a73377d..8d6656b 100644 --- a/po/POTFILES +++ b/po/POTFILES >>>> @@ -167,6 +167,7 @@ gobject/src/optargs-mount_local.c >>>> gobject/src/optargs-ntfsclone_out.c gobject/src/optargs-ntfsfix.c >>>> gobject/src/optargs-ntfsresize.c +gobject/src/optargs-restorecon.c >>>> gobject/src/optargs-rsync.c gobject/src/optargs-rsync_in.c >>>> gobject/src/optargs-rsync_out.c diff --git a/src/MAX_PROC_NR >>>> b/src/MAX_PROC_NR index a5c3fde..38a45c3 100644 --- >>>> a/src/MAX_PROC_NR +++ b/src/MAX_PROC_NR @@ -1 +1 @@ -373 +374 -- >>>> 1.8.0 >

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCKlrgACgkQrlYvE4MpobNY6ACgoYJRoSP7c4Jpe4FJynwPGfhA lO4An003i3sFF8w5RjXxsi7GUTzgSy5/ =veTC -----END PGP SIGNATURE-----